Adding file to archive when existing entry has AES encryption removes encryption?

icsharpcode / SharpZipLib

#ziplib is a Zip, GZip, Tar and BZip2 library written entirely in C# for the .NET platform.

http://icsharpcode.github.io/SharpZipLib/

MIT License

3.7k stars 976 forks source link

Adding file to archive when existing entry has AES encryption removes encryption? #439

Open jlficken opened 4 years ago

jlficken commented 4 years ago

Steps to reproduce

Create zip file with password protected zip entry that has AES encryption
Follow this tutorial - https://github.com/icsharpcode/SharpZipLib/wiki/Updating

Expected behavior

Existing entry should still have AES encryption

Actual behavior

AES encryption has been removed from the existing entry

Version of SharpZipLib

1.2.0.246

Obtained from (only keep the relevant lines)

Package installed using NuGet

Numpsy commented 4 years ago

I think that what happens in the simple add-new-file case might be that the encrypted entry data is copied across into the updated file, but when the central directory records are updated, it simply writes the wrong value for the compression method (so the entry data does remain encrypted, but the compression method is set to the actual compression method instead of 99)

The line @

https://github.com/icsharpcode/SharpZipLib/blob/fed3bd219f8bd2bac5287b6217b9c4c384bed35f/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs#L2217

should perhaps be

WriteLEShort((byte)entry.CompressionMethodForHeader);

ditto for

https://github.com/icsharpcode/SharpZipLib/blob/fed3bd219f8bd2bac5287b6217b9c4c384bed35f/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs#L2107

for a start?

Numpsy commented 4 years ago

@jlficken would you be able to see if the issue you're seeing is resolved in the latest code? (the latest CI builds for the master branch should include the fix)

jlficken commented 4 years ago

I'll check it out in the morning and report back.

Thanks!

jlficken commented 4 years ago

Dumb question but if I'm using NuGet in VS2015 what's the easiest way to test this or would I have to wait until it's released. I haven't started using GitHub or NuGet until recently so I'm still trying to figure things out.

Numpsy commented 4 years ago

You could try adding the appveyor CI package feed to your solution. If you create a file called 'NuGet.config' in your solution folder, and add

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <add key="szl" value="https://ci.appveyor.com/nuget/sharpziplib-cinugets" />
    </packageSources>
</configuration>

to it (you might then need to reload the project and/or visual studio) then the nuget package manager in visual studio should start to list an 'szl' entry in the package sources, and the SharpZipLib entry should have a lot of extra versions listed. (they unfortunately have unfriendly names, but it looks like 1.2.0-gf36ca37 is the current latest.) You might also need to check the 'enable prereleases' checkbox for the CI entries to appear.

I don't have VS 2015 to hand to test with, but this is what it looks like in 2019:

Numpsy commented 4 years ago

@piksel Should that appveyor nuget feed be documented somewhere? (I don't see it mentioned, and didn't realise there was one until recently, and it seems like something that might be useful for people wanting to test fixes?)

piksel commented 4 years ago

Yeah, you're right. I vaguely knew you could do that, but I haven't tried it.

That should definitely go into the wiki.

Numpsy commented 3 years ago

This issue should have been fixed now, and I don't think the appveyor package feed will apply any more if the builds are all done via Github actions (are there any CI packages published to a feed anywhere, or are they just attached to the build results? The packages at https://github.com/icsharpcode/SharpZipLib/packages/ only contains 1.2.0)